Forwarded from: William Knowles <wkat_private> http://www.wired.com/news/business/0,1367,60052,00.html [Sad thing is few if any companies will heed the lesson in this story by enforcing their employees to keep their PDA's locked, encrypted, or afterward, clean of proprietary information once they've left the company. I one thing I do see happening out of this story is the prices of used Blackberry's will be going up on eBay with buyers competing with each other hoping to score that "next" million dollar PDA chock full of corporate and government secrets. - WK] By Kim Zetter Aug. 25, 2003 The eBay ad read "BlackBerry RIM sold AS IS!" So Eugene Sacks (not his real name), a Seattle computer consultant who always wanted one of the pager-size devices to check his e-mail, sent in a bid. For just $15.50, he bought the wireless device with 4 MB of memory. The BlackBerry didn't come with a cable, synching station, software or a manual. But it did come with something even more valuable: a trove of corporate data. After popping a battery into the BlackBerry's back panel, Sacks discovered a few things the previous owner wouldn't have wanted him to see -- more than 200 internal company e-mails from financial services firm Morgan Stanley and a database of more than 1,000 names, job titles (from vice presidents to managing directors), e-mail addresses and phone numbers (some of them home numbers) for Morgan Stanley executives worldwide. It was all there to read, Sacks said, the minute he turned on the device. The seller, who asked to remain anonymous, was a former vice president of mergers and acquisitions for Morgan Stanley who'd left the company months earlier. "If I were Morgan Stanley, I'd be embarrassed," said a source who is an expert in the financial industry. "You should not be able to get that kind of information paying $16 on eBay." Companies mentioned in the e-mails include technology firms, shipping firms, telecoms and accounting agencies. The incident serves as a cautionary tale about the ways companies fail to manage sensitive data despite public assurances to the contrary. It also shows how employees who are entrusted with confidential information are often insufficiently trained about the simple yet sophisticated technologies they use. In addition to personal e-mails that reveal the VP's own Charles Schwab IRA account numbers, the name and phone number of his mother and the amounts he paid for his monthly mortgage, car and Visa bills, the e-mails discuss confidential information about loan terms for Morgan Stanley clients, debt-restructuring strategies for specific companies, preliminary talks for potential merger deals and even some creative ways of interpreting contracts. In the latter category, an e-mail exchange between two Morgan Stanley employees discusses a client who seems to want to step around the terms of a contract signed with a third party. A Morgan Stanley employee advises telling the company to stay "aboveboard" and follow the letter of the contract. "They're asking you to act in something less than good faith it seems to me. Not wise. Better to have everything aboveboard and disclosed...." advises the one employee to another in e-mail. The VP who sold the BlackBerry told Wired News he didn't know the information was on the device. He said he removed the battery months ago, and assumed that everything had been erased. But Morgan Stanley said he violated a contract he signed promising to destroy or return any proprietary information. "On the last day of employment the employee must remove and destroy any confidential information in their possession and return any mobile devices and any portable media belonging to the firm," said Diana Quintero, a company spokeswoman. "When people leave and they sign these papers, they're reminded of this policy." While much of the information on the BlackBerry pertains to deals that are now public and thus no longer sensitive, the financial expert said it's simply a matter of luck that none of the e-mails contained information that could now be traded for profit on the stock market. Had the VP sold the BlackBerry after leaving his job months ago, some of the deals would still have been pending. For instance, a series of e-mails discusses debt restructuring for one of Morgan Stanley's clients -- in all likelihood so that the client could raise capital to purchase a competitor. Judging from public information about the companies, that particular deal never went through, but the company did purchase a second competitor a few months later. Had anyone obtained information about the merger before it occurred, they could have thwarted the deal by offering a higher bid for the target company or could have bought stock in the target company and waited for the purchasing bid to spike its value. "It's a violation of confidentiality, and it would really piss off the client if anybody found out about it," said the financial expert. "That's not something you ever want to be public until it's a done deal." In addition to information contained in the body of the e-mails, there are numerous attachments that contain proprietary PowerPoint presentations, financial spreadsheets and case studies about finished deals that would interest any Morgan Stanley competitor who wanted to know how the firm conducts deals. Because the attachments are stored on a server and not on the BlackBerry itself, though, no one can view them now that the VP's e-mail account is closed. But had the VP misplaced his BlackBerry while still an employee, someone could easily have read the attachments, too. The VP told Wired News that he never locked his BlackBerry with a password, and the device doesn't have encryption capabilities to let users scramble data stored in its memory. Paige Steinbock, a partner in headhunting agency Korn/Ferry International, called the database of Morgan Stanley employee names and home phone numbers "a virtual gold mine of information." Steinbock said headhunters regularly purchase directories of alumni associations and professional groups to track executives to hire. But, she said, "having something electronic like that address book would obviously speed up the process in terms of having accurate, identifiable names and numbers of people you're trying to target." An address database can also aid corporate spies and hackers who want to piece together an organizational chart of company executives. Knowing the name, title and e-mail address of a managing director, a hacker can spoof the account and send correspondence as an executive. Someone posing as a managing director in the New York office, for instance, could contact a secretary in the Chicago office and request a company file be e-mailed to his home address. The VP who sold the BlackBerry said he had no idea data could remain on a device long after the battery was removed. "It didn't even occur to me that it would have this stuff still on there because it had been lying around for a long time without a battery in it," he said. "Had I known there was anything on it, I wouldn't have sold it." The VP acknowledged he signed papers saying he needed to return company property. But the BlackBerry didn't belong to the firm. Morgan Stanley employees generally buy their own BlackBerries through a plan offered by the firm. The one the VP bought was shipped directly to Morgan Stanley's IT department, which set up the software and service on the BlackBerry before giving it to him. "I paid (for it) on my credit card and they handed it to me in working order," said the VP. The large address book containing employee job titles and home phone numbers was already loaded on the device when he received it, he said. "Usually what happens when someone leaves, they hand in their BlackBerry, everything is erased, and then we give it back to them," said Morgan Stanley's Quintero. "Obviously that didn't happen in this case." Quintero said that while the VP may have sold the information accidentally, he still violated company policy. And even though the company knew he possessed the BlackBerry, she said the onus was on him to bring it forward to be cleaned. "We trust employees with a lot of sensitive information; that's why we have these procedures in place. Someone who is in mergers and acquisitions and is a vice president should be very aware of his responsibilities," she said. But Korn/Ferry's Steinbock said, "If they were vigorously wanting to protect their intellectual property, I would hardly think that's enough. "Since it's information that would harm them, not him, it's perplexing that they wouldn't be more aggressive about retrieving that information and follow up with him. The company obviously doesn't have controls in place to take care of its own intellectual property, and that's really their fault," she said. In fact, the VP said that when the company closed his e-mail account on his last day of work, he thought any data on the BlackBerry would be deleted remotely by the server. "I just assumed it was all taken care of," he said. Courtney Flaherty, a spokeswoman for Research in Motion, the company that manufactures the BlackBerry, said there are two ways to wipe data on a BlackBerry -- either manually using the synching software, or remotely through a command that gets pushed out from the server to the device. But that only works if a company uses the Microsoft Exchange server. Morgan Stanley uses Lotus Domino. This is not the first time an individual or organization inadvertently sold sensitive data with a used system. Last year a Veterans Administration medical center sold or donated to schools 139 used computers that turned out to contain credit card numbers and medical data for patients afflicted with AIDS and mental health conditions. Recently MIT researchers purchased (PDF) used hard drives from computer resellers and eBay auctions to see how many drives contained recoverable data. Out of 129 drives they examined, only 12 had been properly cleaned. One hard drive contained 3,722 deleted credit-card numbers that were easily recoverable. And another drive, which appeared to come from an ATM machine, showed no evidence that the bank had tried to erase it. It still contained the ATM's log of customer account numbers and balances. The incident with Morgan Stanley highlights the risk of disseminating data on handheld devices. With so many PDAs and mobile phones sold secondhand each year, there are likely numerous cases that have never become known. Judging from the windfall of info captured on the VP's BlackBerry, the financial expert interviewed for this story said he could only imagine the wealth of information people could gather if they placed ads for used BlackBerries online and waited for the devices to roll in. Of course, information leaks occur in non-technical ways as well, he noted. Employees take paperwork home all the time. But new technology, he said, "makes it more efficient (and) compact" to transport lots of data at once. As a result, a higher volume of information can be captured in a single device than if someone simply left a briefcase behind on the subway. >From employees who willfully take data with them when they leave a job to those who are simply neglectful, he said banks lose confidential information all the time. "We don't make a big deal about it, we never tell anybody about it, but that's the bottom line," he said. Guy Diament, a senior systems engineer in New York, said it's up to companies to communicate with employees about secure computing and to train them to use passwords as well as encryption when available. "But they can't just encrypt files at work. If an employee syncs files to a laptop, a handheld or a home computer, then the files have to be encrypted there if possible." "The bottom line," he said, "is that as long as a company allows employees to duplicate and triplicate company files on devices that leave the office, it cannot ensure that its information won't ever get out. It can only strive to protect itself." *==============================================================* "Communications without intelligence is noise; Intelligence without communications is irrelevant." Gen Alfred. M. Gray, USMC ---------------------------------------------------------------- C4I.org - Computer Security, & Intelligence - http://www.c4i.org ================================================================ Help C4I.org with a donation: http://www.c4i.org/contribute.html *==============================================================* - ISN is currently hosted by Attrition.org To unsubscribe email majordomoat_private with 'unsubscribe isn' in the BODY of the mail.
This archive was generated by hypermail 2b30 : Tue Aug 26 2003 - 09:56:05 PDT